<html>
<body>
Reports cases when a non-safe object is passed to a method with a parameter marked with <code>@Untainted</code> annotations, returned from
annotated methods or assigned to annotated fields, parameters, or local variables. Kotlin <code>set</code> and <code>get</code> methods for fields are not
supported as entry points.
<p>
  A safe object (in the same class) is:
<ul>
  <li>a string literal, interface instance, or enum object</li>
  <li>a result of a call of a method that is marked as <code>@Untainted</code></li>
  <li>a private field, which is assigned only with a string literal and has a safe initializer</li>
  <li>a final field, which has a safe initializer</li>
  <li>local variable or parameter that are marked as <code>@Untainted</code> and are not assigned from non-safe objects</li>
  This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its
  wrapper or immutable.
</ul>
Also static final fields are considered as safe.
<p>
  The analysis is performed only inside one file. To process dependencies from other classes, use options.
  The analysis extends to private or static methods and has a limit of depth propagation.
<p>
  Example:
<pre>
<code lang="java">
  void doSmth(boolean b) {
    String s = safe();
    String s1 = "other";
    if (b) s1 = s;
    sink(s);
  }

  String sink(@Untainted String s) {}
</code>
</pre>
<p>
  Here we do not have non-safe string assignments to <code>s</code> so a warning is not produced. On the other hand:
<pre>
<code lang="java">
  void doSmth(boolean b) {
    String s = safe();
    String s1 = "other";
    s1 = foo();
    if (b) s = s1;
    sink(s);        // warning here
  }

  String foo();

  String sink(@Untainted String s) {}
</code>
</pre>
<p>
  Here we have a warning since <code>s1</code> has an unknown state after <code>foo</code> call result assignment.
  <!-- tooltip end -->
<p><small>New in 2021.2</small></p>
</body>
</html>
